Topsec Cloud Solutions | News From the World of IT Security

What is NotPetya Ransomware?

Author: Gary Fleming
Topics: IT Security, Email Security, Spam, Topsec Email Security

A massive new global cyber-attack has struck with a similar reach to the WannaCry ransomware attack that infected more than 300,000 computers worldwide last month. The latest attack was initially thought to be a strain of the Petya Ransomware virus which hit last year, however it has now emerged that it is in fact a totally different strain which borrows some of the same code from Petya Ransomware. Therefor the latest ransomware attack is now being referred to as Not Petya, SortaPetya or Petna.  It also includes code known as “Eternal Blue”, which is widely believed to have been stolen from the US National Security Agency (NSA) and was also used in last month’s WannaCry ransomware attack.

The source of the virus is still unknow but it freezes the user’s computer by locking hard drive MFT and MBR sections, preventing computers from booting and demands an untraceable ransom to be paid in Bitcoin. Many companies from across the globe are reporting that they have been struck by the NotPetya Ransomware including British advertising agency WPP, Russian oil companies and Ukrainian banks, power plants and airports. In Ireland representatives from both US pharmaceutical company MSD and global container shipping company Maersk Line confirmed they had been “compromised” by the virus. Also in Australia, a Cadbury’s chocolate factory was hit.

Unlike the WannaCry Ransomware, there is no kill switch, however researchers found a vaccine which prevents the ransomware virus from running. NotPetya searches for a local file and exits its encryption routine if that file already exists on the disk, so users can create a file on their PCs, set it as read only which blocks the NotPetya ransomware from executing.

 

How to enable the NotPetya vaccine?

To vaccinate your computer so that you are unable to get infected with the current strain of NotPetya/Petya/Petna, simply create a file called perfc in the C:\Windows folder and make it read only.  For those who want a quick and easy way to perform this task, Lawrence Abrams of BleepingComputer has created a batch file that performs this step for you.  This batch file can be found here.

For those who wish to vaccinate their computer manually, you can do so using the below steps:

First, configure Windows to show file extensions. For those who do not know how to do this, you can use this guide. Just make sure the Folder Options setting for Hide extensions for known file types is unchecked like below.

petya 1.jpg

Once you have enabled the viewing of extensions, which you should always have enabled, open the C:\Windows folder. Once the folder is open, scroll down till you see the notepad.exe program. 

petya 2.jpg

Once you see the notepad.exe program, left-click on it once so it is highlighted. Then press the Ctrl+C to copy and then Ctrl+V to paste it. When you paste it, you will receive a prompt asking you to grant permission to copy the file.

petya 3.jpg

Press the Continue button and the file will be created as notepad - Copy.exe. Left click on this file and press the F2 key on your keyboard and now erase the notepad - Copy.exe file name and type perfc as shown below.

petya 4.jpg

Once the filename has been changed to perfc, press Enter on your keyboard. You will now receive a prompt asking if you are sure you wish to rename it.

petya 5.jpg

Click on the Yes button. Windows will once again ask for permission to rename a file in that folder. Click on the Continue button.

Now that the perfc file has been created, we now need to make it read only. To do that, right-click on the file and select Properties as shown below.

petya 6.jpg

The properties menu for this file will now open. At the bottom will be a checkbox labelled Read-only. Put a checkmark in it as shown in the image below.

petya 7.jpg

Now click on the Apply button and then the OK button. The properties Window should close and your computer should now be vaccinated against the NotPetya/SortaPetya/Petya Ransomware.

 

How can I protect myself from Ransomware?

  1. Keep all security software, operating systems and other software up to date. Software updates regularly include patches for newly discovered security vulnerabilities that could potentially be exploited by hackers. In the case of WannaCry Ransomware, the hackers exploited a weakness within outdated Microsoft Operating Systems.
  1. Email is one of the main infection methods, so be wary of unexpected emails especially if they contain links and/or attachments. Do not enable macros within Microsoft Documents unless you are sure it is a genuine email from a trusted source. Ideally use a comprehensive email security solution to quarantine encrypted attachments, macro enabled attachments and archive type attachments. Also, do not clink any links within emails received from unknown senders as these are often used by hackers to penetrate your network. Topsec Blended Threats can help mitigate this risk, as every link within emails are re-written and each time the link is clicked, Blended Threats checks for any direct injection of malicious code, blocking harmful websites from being served.
  1. Install a full Endpoint Detection and Response service (EDR) such as Adaptive Defense 360 that will protect against such an attack even if it did penetrate your network and make it to servers or local devices.
  1. Back up any important data, this reduces the leverage the hackers have over their victim by encrypting valuable files and making them inaccessible. If you have a backup copy, you can restore the files once the infection has been cleaned up. Ensure backups are keep secure and stored off line so that the hackers cannot delete them too.

 

Get in touch to see how Topsec can help you keep your network safe, or learn how our partner Icelantic has utilised Topsec Email Security to keep their clients networks safe from ransomware.

 

 Topsec become a partner